Package: swift
Version: 2.35.0-4
Severity: important
As per bug #1120053:
* OSSA-2025-002: kay reported a vulnerability in Keystone’s ec2tokens and
s3tokens APIs. By sending those endpoints a valid AWS Signature (e.g., from
a presigned S3 URL), an unauthenticated attacker may obtain Keystone
authorization (ec2tokens can yield a fully scoped token; s3tokens can
reveal scope accepted by some services), resulting in unauthorized access
and privilege escalation. Deployments where /v3/ec2tokens or /v3/s3tokens
are reachable by unauthenticated clients (e.g., exposed on a public API)
are affected.
Swift needs to be modified to accept the fix for Keystone, otherwise S3
authentication will stop working.
Deployers are advised to update Swift first, as the patched swift will work
with unpatched keystone, while the opposite isn't true.
